Skip to content

bug: virtual resources apiserver resolves to wrong endpoint slice #3695

New issue
New issue
Open
#3696
Open
bug: virtual resources apiserver resolves to wrong endpoint slice#3695
#3696
Assignees
gman0
Labels
kind/bugCategorizes issue or PR as related to a bug.
@gman0

Description

@gman0
gman0
opened on Nov 3, 2025

Describe the bug

VR apiserver needs to retrieve VW endpoint slice where it forwards the request, and it does so by listing.

kcp/pkg/server/virtualresources/server.go

Lines 79 to 100 in fa4e118

getUnstructuredEndpointSlice: func(ctx context.Context, cluster logicalcluster.Name, gvr schema.GroupVersionResource, name string) (*unstructured.Unstructured, error) {
list, err := c.Extra.DynamicClusterClient.Cluster(cluster.Path()).Resource(gvr).List(ctx, metav1.ListOptions{})
if err != nil {
return nil, err
}
if len(list.Items) == 0 {
return nil, apierrors.NewNotFound(gvr.GroupResource(), name)
}
var slice *unstructured.Unstructured
for _, item := range list.Items {
if item.GetName() == name {
if slice != nil {
return nil, apierrors.NewInternalError(fmt.Errorf("multiple objects found"))
}
slice = &item
}
}
return slice, nil
},

The request's context is missing shard name, and so the listing needs to do a wildcard search.

Secondly, when the list is being constructed, cluster annotation is set incorrectly:

https://github.com/kcp-dev/kubernetes/blob/ffe1d7c8649b8fef60c69cf91924fb34a2c64fbb/staging/src/k8s.io/apiserver/pkg/storage/etcd3/store.go#L830-L833

Each item is annotated with the cluster name from the request instead of their real cluster of origin.

Both of these issues then lead to a situation where, if there are more endpoint slices with the same GVR and name (in different workspaces), VR apiserver will fail the slice resolution because the endpoint slice list used for searching contains more then one match.

Steps To Reproduce

  • Create a CachedResource my-cached-resource in workspaces root:a and root:b. An associated CachedResourceEndpointSlice is created automatically with the same name.
  • Create an APIExport in b, and bind to it in root:c
  • List the bound cached resource in c.
  • The request will fail with Error from server (InternalError): Internal error occurred: error resolving resource: Internal error occurred: multiple objects found because there was more than one endpoint slice with matching name.

Expected Behaviour

VR apiserver should always pick correct endpoint slice.

Additional Context

No response

Metadata

Metadata

Assignees

Labels

kind/bugCategorizes issue or PR as related to a bug.

Type

No type

Projects

kcp

Status

New

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions